Skip to content

OIDC Dynamic TenantConfigResolver issue in dev mode #42713

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
OIDC Dynamic TenantConfigResolver issue in dev mode#42713
Labels
area/oidckind/bugSomething isn't working
@bpasson

Description

@bpasson
bpasson
opened on Aug 22, 2024

Describe the bug

As requested by @sberyozkin, a bug report for a few issues which are going wrong when using OIDC Config Resolver, also known as dynamic clients.

Dev Services won't start when default tenant disabled

The dev-services won't start when the default tenant is disabled. But they should start as normal as it could be the
case you want only dynamic configurations and no default configuration. A realm import for dev services could supply
all needed dynamic clients.

I worked around this by disabling the default tenant on boot in this reproducer, see the DummyTenantIdHeaderFilter

Resolved Tenant ID not backed by actual OIDC client

The OidcUtils.TENANT_ID_ATTRIBUTE offered through the RoutingContext in the public Uni<OidcTenantConfig> resolve(RoutingContext context, OidcRequestContext<OidcTenantConfig> requestContext) method of the TenantConfigResolver is
used by Quarkus to notify us of an earlier resolved tenant-id. It fails however to verify if the OidcTenantConfig for
that specific tenant-id is still present. Use the following steps to reproduce the issue:

  1. Start the application in dev-mode
  2. Clear all cookies for http://localhost:8080
  3. Open http://localhost:8080
  4. Log in with bob/bob
  5. Restart the application in dev-mode
  6. Reload http://localhost:8080
  7. You now get a status 401, where you would expect to get a login screen.

The only way to fix it is to fully restart Quarkus in dev-mode.

Hot Code Reload in Dev Mode breaks dynamic configuration

If you alter code e.g. change the string in GreetingResource and reload the page dev-mode will perform a hot code
reload and you end up with a ID token verification has failed: Client is closed log message and a status 401. Use
the following steps to reproduce the issue:

  1. Start, (restart if still running) the application in dev-mode.
  2. Clear all cookies for http://localhost:8080
  3. Go to http://localhost:8080
  4. Login with bob/bob
  5. Alter the test in GreetingResource
  6. Reload http://localhost:8080
  7. You now get a status 401 and the ID token verification has failed: Client is closed message in the logs.

The only way to fix it is to fully restart Quarkus in dev-mode.

Expected behavior

The expected behavior in this case should be the reproducer steps should not give failures.

Actual behavior

See the reproducer project here https://github.com/bpasson/quarkus-issue-42713

How to Reproduce?

See the reproducer project here https://github.com/bpasson/quarkus-issue-42713

Output of uname -a or ver

Darwin Kernel Version 23.6.0: Mon Jul 29 21:14:30 PDT 2024; root:xnu-10063.141.2~1/RELEASE_ARM64_T6000 arm64

Output of java -version

openjdk version "21.0.4" 2024-07-16 LTS

Quarkus version or git rev

3.13.3

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.8 (36645f6c9b5079805ea5009217e36f2cffd34256)

Additional information

No response

Metadata

Assignees

No one assigned

    Labels

    area/oidckind/bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions